MAL-2026-10588

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/momenntjs/MAL-2026-10588.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10588
Published
2026-07-14T14:00:27Z
Modified
2026-07-14T14:49:14.356203891Z
Summary
Malicious code in momenntjs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4)

momenntjs is a typosquat of momentjs whose package.json postinstall hook runs node.init.js. On npm install,.init.js enumerates roughly 60 credential-shaped environment variables (including NPMTOKEN, GITHUBTOKEN, AWSSECRETACCESSKEY, STRIPE*, DBPASSWORD, SSHKEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4",
            "id": "IN-MAL-2026-010518",
            "import_time": "2026-07-14T14:37:52.739265241Z",
            "modified_time": "2026-07-14T14:00:27Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / momenntjs

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/momenntjs/MAL-2026-10588.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-nc6IjJ3B1qCdot2NpGBdNmQmpeago71/INfI/2JBYHLVWFhiW+sk/uIZh31KXXkSI6WMkHODZbP9Ro4ePtwWVw==",
                "sha1": "d13a1a38466774751475d48e101671d4b3c8ba77"
            },
            "filename": "momenntjs-1.0.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": ".init.js",
            "sha256": "6eb3939e40f85d1c3f591a3cd3a3edf0fd00c9b09fd7cb48f62e11edca3219b2",
            "tlsh": "d9513181849e521310db2af168034c00a67ee59b3435e6e17e8f02249fddc6c85b3fbd"
        }
    ]
}